[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability
Khalid Baheyeldin
kb at 2bits.com
Fri Oct 17 09:53:49 EDT 2014
Here is the FAQ on the SQL injection exploit.
https://www.drupal.org/node/2357241
There are more exploits by the day.
Many of them are try to insert an entry into the menu_router that maps
to a PHP eval that retrieves a remote PHP file, and tries to stash it
something under /modules. Then a GET request to the menu router path
from a Cookie should execute the PHP.
If your server makes only the "files" directory within Drupal writable
to the web server user, not the entire Drupal itself, then you are
safe, since they can't write a PHP file where it can be executed. A
simple drush cc all or drush cc menu will clear the exploit attempt
from the menu table.
Note that they do all the above with POST variables, not in the URL,
and access it with Cookies, so nothing gets logged in the Apache log.
Some of the exploits fix the SQL injection as well! This is not
altruistic, but to prevent other malicious users from exploiting the
same site.
The exploit about creating an admin user is more concerning, since it
is under the radar, and does not depend on writable Drupal
directories.
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple,
and wrong." -- H.L. Mencken
More information about the kwlug-disc
mailing list